Securityflags: g

PEM Private Key Block

Match PEM-encoded private key blocks across the common variants (RSA, EC, DSA, OpenSSH, encrypted, PGP).

Try it in RegexPro →

Available in

JSSupported

JavaScript / ECMAScript

Browser-native RegExp. Default if you don't pick.

PYSupported

Python (re)

CPython stdlib `re`. Unicode-aware `\w` and `\d` by default.

GOSupported

Go (RE2)

Linear-time matching. No backreferences or lookarounds.

Pattern

regexengine-agnostic
-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----   (flags: g)

Raw source: -----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----

How it works

The optional `(?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?` group covers the algorithm prefix variants. [\s\S]+? lazily matches the multiline base64 body. The closing `-----END ... PRIVATE KEY-----` mirrors the opening. This is the canonical pattern for secret-scanning tools.

Examples

Input

-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Matches

  • -----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Input

-----BEGIN OPENSSH PRIVATE KEY-----\nb3Blbn...\n-----END OPENSSH PRIVATE KEY-----

Matches

  • -----BEGIN OPENSSH PRIVATE KEY-----\nb3Blbn...\n-----END OPENSSH PRIVATE KEY-----

Input

-----BEGIN CERTIFICATE-----

No match

Common use cases

  • Pre-commit secret-scanning for committed private keys
  • PR diff scanning in CI
  • Backup file redaction
  • Incident response for key leaks
PreviousURL Path Segment
All patterns
NextKeep-a-Changelog Entry Header